[00:48.140 --> 00:54.160]  Welcome to Space Security Challenge 2020, HackASAT, the final event.
[00:54.160 --> 00:59.320]  As the democratization of space opens up a new frontier for exploration and innovation,
[00:59.320 --> 01:03.160]  we see new cybersecurity vulnerabilities emerging.
[01:04.080 --> 01:08.920]  The Space Security Challenge is designed to inspire the world's top cybersecurity talent
[01:08.920 --> 01:14.080]  to develop the skills necessary to secure this last frontier of cybersecurity.
[01:14.080 --> 01:18.840]  Space. And already we've made a ton of progress.
[01:18.840 --> 01:20.280]  I'll catch you up.
[01:20.440 --> 01:24.360]  This spring we hosted over 2,000 teams who worked their way through a set of
[01:24.360 --> 01:29.960]  foundational space cybersecurity challenges in our HackASAT qualification round.
[01:29.960 --> 01:34.340]  Now, eight finalist teams are stepping up to the ultimate challenge.
[01:34.660 --> 01:37.440]  They are hacking a satellite.
[01:44.180 --> 01:49.820]  Welcome to the Saturday daily recap of Space Security Challenge 2020, or HackASAT.
[01:50.420 --> 01:53.500]  For the second to last time, I'm your host, Jordan Wines,
[01:53.500 --> 01:56.800]  and it's time to fill you in on how our competitors did on day two
[01:56.800 --> 01:59.720]  of this first-of-its-kind satellite hacking competition.
[01:59.840 --> 02:03.140]  Okay, let's get right to the moment everyone's been waiting for.
[02:03.140 --> 02:08.040]  Here is our video to show which team was selected for the on-orbit challenge.
[02:09.620 --> 02:12.040]  Oh, I'm sorry.
[02:12.420 --> 02:16.360]  Actually, it appears that we're experiencing some technical difficulties.
[02:16.800 --> 02:19.680]  Yeah, I guess that means you're going to have to listen to the rest of this update,
[02:19.680 --> 02:22.160]  and then we'll play the big reveal at the end instead.
[02:22.440 --> 02:25.140]  So let's take a look back at today's action.
[02:32.100 --> 02:36.460]  In fact, let's go ahead and take a look at the scoreboard now in our live octagon feed.
[02:37.260 --> 02:39.400]  And they definitely haven't slowed down.
[02:39.400 --> 02:43.300]  You'll notice that SolarWine actually scored first blood on Challenge 3.
[02:43.300 --> 02:46.100]  Congratulations to them for the great work overnight.
[02:46.100 --> 02:52.840]  You can also see FluxRepeatRocket scoring just before this broadcast with only a 5% reduction in total points.
[02:52.840 --> 02:57.380]  That means SolarWine and FluxRepeatRocket are both moving on to Challenge 4.
[02:57.380 --> 03:01.720]  While the score hasn't changed, we have had one important game milestone pass us by.
[03:01.720 --> 03:04.080]  We timed out unavailable points for Challenge 3.
[03:04.080 --> 03:07.580]  That means those two teams, SolarWine and FluxRepeatRocket,
[03:07.580 --> 03:13.660]  they've obtained points for that challenge and all other teams were given a solution script so they can focus on the next challenge.
[03:19.020 --> 03:23.600]  If you've been following along at home, you know that we sprung our on-orbit challenge on our teams yesterday.
[03:23.600 --> 03:30.120]  We had four teams submit their solutions by 4 p.m. Pacific, our deadline for evaluation for on-orbit,
[03:30.120 --> 03:34.900]  but only one was selected to have their code sent to the live satellite to capture a moonshot.
[03:34.900 --> 03:38.020]  We will learn who that lucky team is later on in the broadcast.
[03:39.140 --> 03:45.820]  While today's action started strong with several early scores, teams really struggled their way through Challenge 4 today.
[03:45.820 --> 03:51.100]  While the organizers knew it would be the hardest challenge, the hope was that it would be solved before this point.
[03:51.100 --> 03:55.720]  In fact, in the last hour of the competitions, some teams had run so low on power
[03:55.720 --> 04:00.600]  that the organizers offered to take the flatsats offline so they could plug them into power.
[04:00.600 --> 04:04.840]  This would mean teams would have challenges in solving Challenge 5,
[04:04.840 --> 04:09.820]  but hopefully it would give them enough power and time to solve Challenge 4 in the last few minutes.
[04:10.000 --> 04:15.120]  Given that, here is our explanation for the Challenge 4 solution.
[04:16.180 --> 04:17.760]  Challenge 4.
[04:18.440 --> 04:19.900]  Here's what we know.
[04:19.900 --> 04:24.160]  We've restored communication with the payload module, but we still can't operate it.
[04:24.160 --> 04:30.100]  The challenge? Now teams must restore normal operations of the payload module so we can access the imager.
[04:30.280 --> 04:31.880]  Here's how they do it.
[04:31.880 --> 04:38.080]  Teams discover that the payload module bootloader has been corrupted, which is why the payload module is not operating normally.
[04:38.080 --> 04:43.800]  The teams discover a system console to the payload module and the ability to access the payload module system console
[04:43.800 --> 04:49.360]  by controlling an undocumented GPIO and multiplexer on the CNDH board.
[04:49.360 --> 04:56.580]  The teams must write a custom flight software application that can control the GPIO and enable access to the payload system console.
[04:56.580 --> 05:01.420]  After writing the application, the teams must upload it to the CNDH and execute it.
[05:01.420 --> 05:06.360]  Once the teams have access to the system console, they will identify that it has been corrupted.
[05:06.680 --> 05:14.620]  The teams will need to research nominal Qubose bootloader configuration and repair the payload module's bootloader to resume proper operation of the payload module.
[05:20.140 --> 05:25.240]  As I mentioned during a previous update, there was always a chance that the scoreboard was going to go dark.
[05:25.240 --> 05:31.120]  And sure enough, with 30 minutes left in the competition, as teams were hopefully nearing in on a Challenge 4 solution,
[05:31.120 --> 05:33.920]  the organizers decided to keep us all in suspense.
[05:33.920 --> 05:38.160]  Here's a look at our final scoreboard that everyone saw before it went dark.
[05:39.680 --> 05:45.380]  As we can tell, we had a couple of solves later on, but early was where most of the action happened.
[05:45.380 --> 05:52.560]  However, with our accepted and rejected on-orbit status, we knew that there were two teams who would not be eligible for final prizes.
[05:52.680 --> 05:57.480]  We will make the final actual scores available tomorrow during the closing ceremony.
[05:57.480 --> 06:06.620]  Before you make your predictions on our podium winners, let's take a look at the final Challenge 5 to see what it was teams would have had to solve after they finished Challenge 4.
[06:07.920 --> 06:08.960]  Challenge 5
[06:10.160 --> 06:15.540]  Here's what we know. We've done our best work, and it seems that we've regained control of the satellite.
[06:15.720 --> 06:17.480]  But how do we know for sure?
[06:17.860 --> 06:24.460]  The challenge? Teams must prove that we are fully in control of the satellite system by successfully imaging the moon.
[06:34.230 --> 06:38.770]  I thought I could have solved some of these challenges, and the answer was almost certainly not.
[06:38.770 --> 06:42.630]  I've got a lot of respect for the teams out there who made progress at all through this event.
[06:42.630 --> 06:49.490]  With a very difficult environment, very different to what many other CTFs have to do, there's a lot of extra constraints you have to worry about.
[06:49.570 --> 06:56.890]  For more information on that, let's do one last Q&A session with Jason Latimer to talk about how teams were approaching Challenge 4.
[06:56.970 --> 06:59.770]  Let's see if we can get him in here. Jason, do you hear me?
[07:00.430 --> 07:01.390]  Yeah, I got you.
[07:01.390 --> 07:07.150]  Excellent, and I hear you as well. Great. So, we're wrapped up. The game is over.
[07:07.150 --> 07:15.510]  I hopped into a couple of your calls, and I was listening to you guys describe some of the approaches teams were taking on Challenge 4.
[07:15.670 --> 07:19.890]  I thought there were some really, really interesting things that came out of that. I'd love to hear a little bit more from your perspective.
[07:20.470 --> 07:28.810]  Yeah, so the background on Challenge 4 was that the teams had gotten past the implant that the adversary had put on the satellite,
[07:28.810 --> 07:33.870]  and that they were trying to use the payload, and quickly found that the payload wasn't functional.
[07:35.050 --> 07:42.290]  So, what the adversary had done was corrupted the bootloader, and so they had to uncorrupt the bootloader.
[07:42.530 --> 07:48.370]  There were a number of approaches. Teams seemed to be struggling in the beginning, so at one point we gave a hint that said,
[07:48.370 --> 07:56.630]  hey, you need to write an application that's capable of communicating with the system console and enabling that system console via GPIO.
[07:56.630 --> 08:01.830]  Very quickly, teams started uploading their custom CFS applications.
[08:01.970 --> 08:10.270]  Some teams were just trying to enable the GPIO to control the system console based on other GPIOs that were already on the system,
[08:10.270 --> 08:12.270]  and they had done that successfully.
[08:12.270 --> 08:20.350]  And then we had some unique approaches where teams were trying to upload applications that could do TFTP transfers to the device.
[08:20.350 --> 08:24.230]  So, we had a number of different approaches to Challenge.
[08:24.230 --> 08:29.410]  So, the application that they're compiling, was this just a standard compiler they could use,
[08:29.410 --> 08:34.930]  or what sort of information about that environment did they have to have to build these custom applications?
[08:35.450 --> 08:38.190]  Yeah, so it's actually a little bit more complicated than that.
[08:38.190 --> 08:42.610]  We didn't want that to be the challenge behind the whole restoring the bootloader,
[08:42.610 --> 08:49.090]  so we actually did provide to the teams ahead of time the RTEMs build environment they would need to build an application.
[08:49.090 --> 08:57.090]  And then we provided also a set of example applications that they could use as a template for creating this application
[08:57.090 --> 08:59.790]  that would restore the bootloader on the payload.
[08:59.970 --> 09:04.670]  There were still quite a bit of challenges there because there were specific peripherals that they'd have to be able to control.
[09:04.670 --> 09:13.810]  So, talking to specific UART and GPIO drivers to do that, so it was non-trivial.
[09:13.990 --> 09:15.710]  Yeah, what did your solution look like?
[09:15.710 --> 09:20.090]  Did it rebuild it or how did your intended solution work on that?
[09:20.190 --> 09:28.410]  So, we had a custom application that ran in CFS that could talk to the Raspberry Pi system console over the UART.
[09:28.410 --> 09:31.750]  So, it was literally like talking to this system console.
[09:31.750 --> 09:36.370]  We would send a command and we could do an LS on the shell or whatever it was.
[09:36.370 --> 09:42.630]  And through that, we could restore the bootloader via just typical system console commands.
[09:42.630 --> 09:47.690]  But in order to actually enable that UART, we had a GPIO that was hidden.
[09:47.930 --> 09:57.190]  So, one of the challenges for Challenge 4 was actually looking through the FPGA Verilog and VHDL code and finding that that actually existed.
[09:57.190 --> 10:05.150]  So, we had gotten some feedback during quals that teams were really interested in doing that kind of documentation reverse engineering.
[10:05.150 --> 10:08.330]  So, we went to a lot of effort to make sure that that existed.
[10:08.330 --> 10:15.210]  So, to even identify that that was there, they were doing code inspections of the VHDL and the Verilog for the FPGA.
[10:15.270 --> 10:21.270]  Now, I heard hints that at least one team was doing something creative with direct memory writes.
[10:21.270 --> 10:23.110]  What do we know about that?
[10:24.310 --> 10:30.230]  All we know about that, well, teams were doing uploads of applications,
[10:30.230 --> 10:37.610]  but it looked like some teams were using the direct memory writes to actually interact with that shell, the Raspberry Pi shell.
[10:37.610 --> 10:42.010]  So, a little different than our approach, but yeah, it was interesting.
[10:42.330 --> 10:44.610]  If it gets your code running, it gets it working, right?
[10:44.610 --> 10:49.830]  There's no points for the jankiness or the cleverness. It's just, does it solve the challenge, right?
[10:49.830 --> 10:54.110]  So, one of the things that I just mentioned to people, of course, was the power constraints
[10:54.110 --> 10:58.090]  and how many of the satellites were running low on power at the end from a lot of movement throughout the day
[10:58.090 --> 11:03.430]  and a lot of usage and the sort of option they had to get connected to a ground power.
[11:03.730 --> 11:05.890]  Tell me how that changed the sort of Challenge 5 requirements.
[11:05.890 --> 11:10.210]  And if a team was able to solve a Challenge 4 after the SCOBR went dark,
[11:10.210 --> 11:14.710]  would they have been able to do it from the ground or was that completely impossible or what happened there?
[11:15.550 --> 11:19.930]  Yeah, so we talked with the organizers and based on the fact that we had these power constraints
[11:20.850 --> 11:26.170]  and that the teams that had elected to be put on the ground wouldn't be able to get a picture of the moon,
[11:26.170 --> 11:30.130]  we adjusted the criteria for Challenge 5 to just be get a picture.
[11:30.130 --> 11:39.290]  It was interesting to see what the different teams were doing as far as power.
[11:39.630 --> 11:43.850]  Some teams had conserved their power throughout the day and other teams had not.
[11:43.850 --> 11:48.670]  So, we had some teams that were in the running to solve Challenge 4 that said,
[11:48.670 --> 11:51.330]  hey, we don't want to be put on the ground. We'll just stay on the carousel.
[11:51.710 --> 11:53.610]  We've been good with the batteries all day.
[11:53.710 --> 11:57.950]  And we actually mentioned that in an earlier update here that power was potentially a concern.
[11:57.950 --> 12:00.410]  And it was nice that teams weren't entirely out of the running.
[12:00.410 --> 12:06.270]  There was sort of a backup mechanism, but it cost them time while their flat set was taken down, was rewired in.
[12:06.270 --> 12:10.810]  And so, that was sort of a penalty for exercising that option, although they weren't kind of out of the running entirely.
[12:10.810 --> 12:12.470]  That works out great.
[12:12.630 --> 12:17.810]  All right, well, thank you very much for taking time to talk to us and we'll continue on with the rest of our update.
[12:18.350 --> 12:19.290]  Thank you.
[12:20.510 --> 12:24.830]  All right, now the moment that you hopefully have actually been waiting for.
[12:24.830 --> 12:29.650]  We're going to answer the question as to which team had their code sent into space tonight.
[12:30.430 --> 12:35.130]  So, the video that we're going to look at here is the same one that I previewed earlier.
[12:35.130 --> 12:39.430]  So, we can see Poland Can is the very first team to get an acceptable payload.
[12:39.430 --> 12:42.830]  We knew that from watching the scoreboard and got reasonably close.
[12:42.970 --> 12:45.010]  Next coming in are going to be several other teams.
[12:45.010 --> 12:48.650]  ADD Vulcan, number two, and then number three, Flux Repeat Rocket.
[12:48.650 --> 12:53.650]  So, we've got the three quickest ones and then we're going to have right here a Samurai come in.
[12:53.650 --> 12:55.910]  So, these were the four that came in before the timeline.
[12:55.910 --> 12:58.690]  So, if we stop right now, this is our launch cutoff, right?
[12:58.690 --> 13:00.930]  So, these were the teams that came in.
[13:00.930 --> 13:10.730]  And if we look at closest to the bullseye, you can see that Poland Candidate Space just beat out Flux Repeat Rocket with the most accurate solution during our window.
[13:10.730 --> 13:15.030]  And this is the payload that's being run on an actual satellite right now.
[13:15.030 --> 13:20.010]  So, we're looking forward to getting the results back from that tonight as it runs.
[13:20.010 --> 13:23.690]  And then tomorrow during the live event, we're going to show you, hopefully, the moonshot.
[13:23.690 --> 13:25.710]  We'll find out how accurate it was.
[13:25.810 --> 13:33.030]  And, of course, we're going to continue the run here because, as I mentioned earlier, we know there was that sort of like sudden death for the last two slots, right?
[13:33.030 --> 13:36.290]  And we could see the teams that were two more slots that were available.
[13:36.450 --> 13:40.870]  And so, after that 7 p.m. cutoff, we had a quick 1550 tree that was able to make it in.
[13:40.870 --> 13:44.010]  But we also noticed that Poland Candidate really got in close.
[13:44.010 --> 13:45.970]  And so, they got a really, really nice solution.
[13:45.970 --> 13:47.010]  They kept iterating on it.
[13:47.010 --> 13:47.910]  There was no points for it.
[13:47.910 --> 13:51.310]  It was not considered for the on-orbit.
[13:51.570 --> 13:58.850]  But it was so good that the individuals we had evaluating all of the solutions, they had a lot of automation.
[13:58.850 --> 14:00.790]  But there was also, I guess, a little bit of an art to it.
[14:00.790 --> 14:06.490]  They were explaining that they thought that final Poland Candidate was so beautiful that it was like a piece of art.
[14:06.490 --> 14:08.890]  They loved that final solution.
[14:09.210 --> 14:16.710]  And then, of course, we had our last solve here coming in that's going to be from PFS, which we've already revealed.
[14:16.710 --> 14:29.990]  They were the last team to make it into the qualifying minimal acceptable range, which unfortunately left our two other teams, which were SolarWind and 1064 Seabred, not in the running for that.
[14:30.030 --> 14:41.790]  So, first of all, congrats to Team Poland Candidate for submitting not only the best solution overall throughout the whole evaluation period, but the solution that is going to space.
[14:41.790 --> 14:43.930]  Let's see their team bio again.
[15:16.190 --> 15:22.510]  And into space, I can confirm that your commands were uplinked in our comms window earlier today.
[15:22.530 --> 15:29.490]  We expect the moonshot to happen in a couple of hours at 630 Pacific, and that picture will be sent down to Earth at about 1 a.m. Pacific.
[15:29.490 --> 15:33.850]  We will reveal what is hopefully a clear moonshot picture at tomorrow's closing ceremonies.
[15:33.850 --> 15:36.450]  It all depends on how accurate your command really was.
[15:36.450 --> 15:37.490]  Fingers crossed.
[15:37.790 --> 15:42.410]  You'd think that just watching instead of playing would be less stressful, and I'm sure it was worse for our competitors.
[15:42.410 --> 15:47.850]  But even in the production room, we were cheering and sweating along with our teams as they worked their way through these challenges.
[15:48.010 --> 15:50.550]  Thanks very much for joining us throughout this event.
[15:51.390 --> 15:53.110]  That's it for today's recap.
[15:53.110 --> 16:02.730]  Make sure you tune in to Hackensack Closing Ceremonies tomorrow at 11 Pacific, where we will hopefully reveal the world's first CTF moonshot taken by Poland Candid to space.
[16:02.730 --> 16:09.550]  We'll also show you the overall contest results and award the prizes to our teams and reveal what happened after the scoreboard went dark.
[16:09.550 --> 16:14.870]  We'll also hear closing remarks by Dr. Will Roper from the U.S. Space Force and Air Force Acquisition Chief.
[16:14.990 --> 16:19.730]  Be sure to also check out all the great happenings going on at DEFCON and in the Aerospace Village.
[16:19.790 --> 16:22.570]  See you tomorrow at 11 Pacific for the closing ceremonies.
